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roENTTTY^rENTRIC DATA ACCESS 
BACKGROUND OF THF. INVENTION 

1. The Field of the Invention 

[0001] The present invention relates to the field of data access technologies. 
5 Specificallyrtfae-presgitinventionrelates-to^m 

in a user or identityH^ratric manner rather than in an applicadon-centric manner. 

2. Background and Related Art 

[0002] The Internet has revolutionized the way people access information. With 
the aid of a conventional Internet-enabled computing device, one may obtain 

10 information on almost any subject with relatively little effort. Infommtion is so 
abundmt, that our ability to manage such information is often overwhelmed. 
[0003] However, uiformation is often irrelevant to all but a few. Some 
information is specific to only a single identity such as a person, group of people or 
organization. Such information may include, for example, addresses, telephone 

15 numbers, contacts, task lists, journals, schedules, grocery lists, music &vorites and 
other preferences. 

[0004] In order to manage such identity-specific information, a data access model 
100 was developed as illustrated in Figure 1 . The data access model 100 include three 
fundamental components; an identity 110, an application 120, and data 130. The 

20 application 120 manages data 130 that the application 120 needs to operate properly. 
The data 130 typically includes identity-specific data as well as other types of data. 
During operation, the application 120 typically performs various operations on the 
data 130 either on its own initiative, or in response to instructions issued by the 
identity 1 10 or another program module. 

25 [0005] The bi-directional arrow 140 represents a strong logical coupling between 
the application 120 and the data 130. Although the data 130 may include identity- 
specific data, the data 130 may be accessed only through the application that manages 
the data. For example, a Web-based grocery service application may manage a 
grocery list for an individual, store a residence address for delivery of the groceries, 

30 and store credit card information for automatic payment. All of this data is identity- 
specific. However, the data is accessed only through the Web-based grocery service 
application. Likewise, a calendar application may maintain schedule information for 



wo 02/073339 



PCT/US02/06329 



a given identity. This calendar data is accessed via the calendar application only. 

[0006] Figure 2 illustrates this principles by extending the model of Figure 1 to 

include multiple application programs, each interacting with their own data. For 

example, in addition to using application 120, the identity 110 also interfeces with 
5 aj>plications 221 through 224. Each application 221 through J224 interacts with their 

own data 231 through 234, respectively. While there may be considerable 
redundancy between the data represented by data 130 and 231 through 234, each set 

of data is maintained and accessed via its own corresponding t^jplication. 

[0007J Although functional, maintaining data on a per-^lication basis has 
10 disadvantages. Namely, if an application is no longer available, the corresponding 
data is often lost. For example, if an individual wanted to change Web-based groceiy 
services, the individual would typically have to reenter the grocery list and the 
delivery address to a new Web-based plication. Also, suppose a caloidar 
q>plication m ain t ain e d schedule information in a proprietary format. In order to 
15 cdiange from that calendar application, a user may have to reenter the calendar 
information for the next ^>pIication. 

[0008] In addition, since the application maintains the data, the user must access 
the data via the applicatioiL If the application is not mobile, the data is not mobile 
either, absent efforts to make tiie data redundant in multiple locations. Making the 

20 data redundant between applications often requires user effort to periodically 
synchronize the data. In addition, between synchronizations, the data sets in the 
different applications may diverge as the data changes. Sometimes, if the data 
diverges inconsistently in both applications, user intervoition is required to resolve 
the inconsistoicies. Accordingly, if the i^lication is not mobile, the data is not 

25 mobile either without e9q>ending user effort. 

[0009] Therefore, what is desired are mediods, systems and computer program 
products for allowing identities more flexible access to and control over their 
corresponding identity-specific information regardless of the application. 

SUMMARY OF THE INVENTION 

30 [0010] Methods, systems, and computer program products are described that 
facilitate more identity-centric data access. An identity may be a user, a group of 
users, an organization, an automated agent or proxy for a user or organization, or any 
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other identifiable entity. Instead of data being maintained on an application-by- 
application basis, the data associated with a particular identity is stored by one or 
moie data services accessible by many applications. Each data service may store a 
particular type of data for a number of identities. For example, there may be a 

5- ^calendar-ciatajservice ihat ^stores^calendar information for the identity, an iii-box data 
service that stores received e-mails for the identity, and the like. 
[0011] The data is stored in accordance with a schema that is recognized by a 
number of different applications and the data service. When a user is to perform an 
operation on the identity's data, the application that the user is interfacing with 

10 generates a message that has a structure that is recognized by the data service. The 
message represents a request to perform an operation on the data structure 
corresponding to the identity. The data service receives and interprets the message, 
and then determines whetiher or not to honor the request. For example, the data 
service may consult corresponding access control rules to determine if the iq)plication 

15 or user is authorized to perform the operation. An example of access control rules is 
an Access Control List or ACL. If authorized, tiie data service then performs the 
operation. The operation may include, for example deleting, updating, adding, or 
querying the data structure. 

[0012] Any application that is authorized to perform an operation on an identity's 
20 data, and that structures a request message that is recognized by the service, may 
cause the requested operation to be performed on the identity's data. When an 
application needs to read the data, the application may read the data from the data 
service. When an application needs to write to the data, the application may write to 
the data service. 

25 [0013] The identity may maintain control over which applications have what 
access to the data by altering the access control rules as desu-ed. Thus, although the 
data may be maintained remotely, the data is still under the control of the identity. 
The identity may extend and revoke access privileges at will. 

[0014] In one embodiment, the data service is implemented as a Web site or a 
30 Web service. However, the data service may also be implemented by a variety of 
connected computing devices. It is not essential to the invention the particular type of 
computing device or devices that implements the data service. Any connected 
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devices may implement the data service such as personal computers, hand-held 
devices, multi-processor systems, microprocessor-based or programmable consumer 
electronics, network PCs, minicomputers, mainframe computers, and the like, or 
combinations thereof. Thus, any application that is authorized and capable may 
5 communicate with the Web -site or service to access4he data. This fecilitates a wide 
variety of helpful scenarios. For example, a user may switch from one application on 
one device to another application on another device and still have access to tiie same 
data, without having to expend effort ssmchronizing or otherwise copying the data 
from one device to the other. Each application just accesses the identity's data via the 

10 data service instead* 

[0015] Also, if a user subscribes to a new service, the user need not manually 
populate the new service with relevant identity-specific information such as name, 
address, telephone number, and the like. Instead, the user may simply generate a 
request to operate on the identity's data (specifically, the corresponding Access 

15 Control List) such that the application is then entitled to itself read the relevant 
identity-specific data, without requiring manual input. 

[0016] Thus, the principles of the present invention provide an efficient model for 
accessing data on an identity-specific basis rather than having each application 
redimdantly maintain its own data. Additional features and advantages of the 

20 invention will be set forth in the description which follows, and in part will be 
obvious fix)m the description, or may be learned by the practice of the invention. The 
features and advantages of the invention may be realized and obtained by means of 
the instruments and combinations particularly pointed out in the expended claims. 
These and other features of the present invention will become more fiilly apparent 

25 fix)m the following description and appended claims, or may be learned by the 
practice of the invention as set forth hereinafter. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0017] In order to describe the manner in which the above-recited and other 
advantages and features of the invention can be obtained, a more particular 

30 description of the invention briefly described above will be rendered by reference to 
specific embodiments thereof which are illustrated in the appended drawings. 
Understanding that these drawings depict only typical embodiments of the invention 
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and are not therefore to be considered to be limiting of its scope, the invention will be 
described and explained with additional specificity and detail through the use of the 
accompanying drawings in which: 

[0018] Figure 1 schematically illustrates a model that depicts the conventional 
5 -relationship between an identic, an application,-and-data i^^ 

art in which there is a strong coupling between the application and the data; 
[0019] Figure 2 schematically illustrates the conventional model of Figure 1 in 
which multiple applications interact with corresponding data on an appiication-by- 
appUcation basis; 

10 [0020] Figure 3 schematically illustrates a model depicting the relationship 
betwera a user, an iq)plicatipn, and data in accordance with the present invention in 
which there is a strong coiqpling between the identity and the data; 
[0021] Figure 4 schematically illustrates the model of Figure 3 in which multiple 
£q)plications interact with the same set of data; 

IS [0022] Figure 5 illustrates the model of Figure 3 in which further details are 
illustrated for the data service that provides the data and the strong coupling between 
the identity and the data; 

[0023] Figure 6 is a flowchart of a method of performing operations on an 
identity's data with the identity's authorization in accordance with the present 
20 invention; 

[0024] Figure 7 is a flowchart of a stmctured method for determining an address 
of a user's data. 

[0025] Figure 8 schematically illustrates a data stmcture of a request that is in 

accordance with the message format recognized by the service and applications; 
25 [0026] Figure 9 illustrates a data object in which the meaning of the various fields 

of the data structure is imderstood by interpretation in light of a schema; 

[0027] Figure 10 illustrates the structure of a service that responds to structured 

requests to perform data operations, and provides structured responses in accordance 

with the present invention; 
30 [0028] Figure 1 1 schematically illustrates a computing device that may implement 

the features of the present invention; and 
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[0029] Figure 12 schematically illustrates a station that may perform centralized 
processing of coixmiimications between the applications and the services. 

DETAILED DESCRIPTION OF THE INVENTION 
[0030] The present invention extends to methods, systems, and computer program 
5 products for accessing identity-specific data independent of the application accessing 
the data. Throughout this description and in the claims, an identity is defined as being 
a person, a group of people, an organization, or any other identifiable entity. Such 
identifiable entities may include, for example, a science project, a fimdraising event, a 
word processing document, a power point presentation, a conference room, or an x- 

10 ray noachine. However, this list is illustrative only, and not exhaustive. The model 
for accessing data includes three fimdamental components; an identity, an application, 
and a data service. Ralfaa* than ^ application directly maintaining identity*-specific 
data, tbe data service maintains die identity-specific data on behalf of the identity. 
Any of a number of applications may then access the data service to operate on the 

15 identity-specific data. 

[0031] The embodiments of the present invention may comprise a special purpose 
or general purpose computing device including various computer hardware, as 
discussed in greater detail below. Embodiments within the scope of the present 
invention also include computer-readable media for carrying or having computer- 

20 executable instmctions or data structures stored thereon. Such computer-readable 
media can be any available media which can be accessed by a general purpose or 
special purpose computer. By way of example, and not limitation, such computer- 
readable media can comprise physical storage media such as RAM, ROM, EEPROM, 
CD-ROM or other optical disk storage, magnetic disk storage or other magnetic 

25 storage devices, or any other medium wiiich can be used to carry or store desired 
program code means in the form of computer-executable instructions or data 
structures and which can be accessed by a general purpose or special purpose 
computer. The claims may mention the term "computer program product.*' In this 
description and in the claims, this term does not imply that the computer program 

30 product was bought for a price. The term "computer program products" may also 
include free products. 
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[0032] When infonnation is transferred or provided over a network or another 
communications connection (either hardwired, wireless, or a combination of 
hardwired or wireless) to a computer, the computer properly views the connection as a 
computer-readable medium. Thus, any such connection is properly termed a 

5 computer-readable medium. Combinations of tiie above should also be -included 
v^rithin the scope of computer-readable media. Computer-executable uistructions 
comprise, for example, instructions and data which cause a general purpose computer, 
special purpose computer, or special purpose processing device to perform a certain 
function or group of functions. In tiiis description and in the claims, a "network" is 

10 defined as any medium over vMch messages may be communicated. Thus, a network 
may include a medium for messaging between two different machines. However, a 
network may also be a mechanism for communicating messages between two 
processes running on the same m a chine . 

[0033] Although not required, the invention will be described in the general 
15 context of computer-executable instiuctions, such as program modules, being 
executed by computing devices. Generally, program modules include routines, 
programs, objects, components, data strurtures, and tiie like that perfonn particular 
tasks or implement particular abstiact data types. Computer-executable instructions, 
associated data sttuctiires, and program modules represent examples of the program 
20 code means for executing steps of the metiiods disclosed herein. The particular 
sequence of such executable instructions or associated data sUructures represent 
examples of corresponding acts for implementing the fimctions described in such 
st^s. 

[0034] Those skilled in the art will appreciate that the mvention may be jiracticed 
25 in network computing environments with many types of computer system 
configurations, includmg personal computers, hand-held devices, multi-processor 
systems, microprocessor-based or programmable consumer electronics, network PCs, 
minicomputers, mainframe computers, and the like. The invention may also be 
practiced in distributed computing environments where tasks are performed by local 
30 and remote processing devices that are linked (eitiier by hardwired links, wireless 
links, or by a combination of hardwired or wireless links) through a communications 
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network. In a distributed computing environment, program modules may be located 
in both local and remote memory storage devices. 

[0035] In contrast to the application-centric model for data access illustrated in 
Figures 1 and 2, the principles of the present invention allow an identity to have 
5 control over its identity-specific data independent of thei5>plication used to access the 
data. Figure 3 schematically illustrates a model 300 for accessing data in accordance 
with the present invention. Figure 3 may be contrasted with Figure 1. The model 
includes an identity 310, an plication 320, and a data services 331 that maintains 
identity-specific data 330. In contrast to arrow 140 of Figure 1, an arrow 340 of 
10 Figure 3 represents a strong coupling between the identity 310 and the identity- 
specific data 330. 

[0036] The data services 331 is represented by a cloud shsqpe to emphasize that 
Ae data services 331 is accessible regardless of the application and device used so 
long as the plication and device are capable of implementing the principles of the 
1 5 present mvention. Figure 4 illustrates this principle by showing the model of Figure 3 
in which the identity 310 accesses the identity-specific data 330 through multiple 
applications 320 and 421 through 424. Figure 4 may be contrasted with Figure 2. 
Instead of each application owning its own data, each application accesses the 
relevant identity-specific data firom data services 33 1 . 
20 [0037] Although not required, the ^plications 320 and 421 through 424 may 
perform different functions and be implemented on different devices. For example, 
the identity 310 might use a desktop Personal Computer or "PC" running application 
320 to draft a word processing document, and then move to a Personal Digital 
Assistant (hereinafter, "PDA") that runs application 421 to contmue editing. The 
25 identity may accomplish Has even though the word processing applications locally 
represent the word processing document using incompatible data structures, and 
without having to synchronize the word processing document between the desktop PC 
and the PDA. From the identity's perspective, it is as though the identity 310 
retrieves the word processing document fi-om an ever-present and ever-accessible sky 
30 filled with all of the associated identity-specific data. 

[0038] Not only may the identity access its own identity-specific data, but flie 
identity may authorize other individuals and applications to perform specific 
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operations on all or portions of the identity's data. For example, an identity may 
authorize a Web-based weather application to read, but not alter, the identity's address 
mformation to extract the zip code or town so that weather forecasts may be tailored 
to the identity. If the identity were to move, the identity would update the address 
5 information. Accordingly, the next time the identic rum application, the 

weather application would provide a weather forecast specific to the new address. 
Thus, with just this authorization, the identity has avoided having to re-enter zip code 
information directly to the weather application. Many applications may benefit by 
avoiding this kind of manual entry of data using this kind of authorization. The 

10 weather application mentioned herein is just one example of such an application. 

[0039] As another example, suppose that the identity is to sign up for a Web- 
based grocery delivery service. Instead of having to enter in the personal information 
and a grocery list, the identity may authorize the grocery delivery service application 
to have access to the address information as well as a grocery list for weekly delivery. 

15 The identity has avoided having to manually enter the information at the time it 
signed up for the service. Instead, the personal information and the grocery list were 
made accessible to the application Arough simple authorizations. Should the identity 
desire to switch Web-based grocery delivery services, the identity would retract 
authorizations granted to the previous application, and grant the same authorizations 

20 to the new application, thus again avoiding having to reenter the information. 

[0040] Figure 5 shows more details regarding how the data access model 300 
accomplishes this flexible organization and management of data on an identity- 
specific basis. The data services 33 1 includes a variety of type-specific data services 
510 that manage identity-specific data in the form of data objects. Each service 

25 manages a specific type of data object for one or more identities. Figure 9 illustrates 
the general format of such a data object. The data object 900 includes multiple fields 
including for example, field A 901, field B 902 and other fields 903. 
[0041] The stracture of the data object follows a specific set of mles or "schema" 
regarding where the fields are placed in a data structure, and the particular meaning of 

30 the fields. The schema may have an initial set of rules regarding the placement and 
meaning of an initial set of fields. However, the schema may also provide mles for 
adding more fields to the data structure, thus allowing flexibility in the amount and 
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types of fields that a schema may support. Thus, the schema may be extensible. As 
long as an application follows the set of rules when interpreting the data object, the 
application will be able to interpret the meaning and content of the various fields 
within the data object. Thus, if a schema is widely recognized and followed, the data 
5 object may be interpreted by a wide variety of applications. In one embodiment, the 
data object is organized as an eXtenstible Markup Language (XML) document. XML 
documents are beneficial and capable of defining a data structure that follows a 
schema because XML provides for name-value pairing or ""tags'' where the meaning 
of the value may be implied by the name. 
10 [0042] In the illustrated example, data objects are shown corresponding to an 
identity "A*' and an identity *"B". However, it will be apparent that the principles of 
the present invention may be applied to allow identity-centric access for any number 
of identities. 

[0043] Once again, the data services 331 may include many type-specific data 

15 services 510. For example, address service 511 manages an address data object 51 lA 
for identity A among others. The address data object may include information such as 
the corresponding identity's name, residence address, business address, home 
telephone number, work telephone number, fax number, mobile number, e-mail 
addresses, and the like. The address data objea 511A is organized according to a 

20 specific schema that is followed by a number of applications. The data object 51 lA 
may be not in the clear as stored or transmitted. For example, the data object 5 1 1 A 
may be encrypted or compressed, in which case decryption or decompression, 
respectively, may be necessary before the schematized structure may be discemable. 
[0044] Proceeding down the list of type-specific data services 510, the contacts 

25 service 512 maintains a contacts data object 512A for identity A and a contacts data 
object 512B for identity B. The contacts data object may include contact information 
for individuals or organizations that the corresponding identity has interest in. The 
identity may have previously entered the contact information anticipating that such 
information might be usefiil in contacting the individual or organization. The contacts 

30 data object may also be organized according to a specific schema that may be 
recognized by multiple applications. The schema for the contacts data object may be 
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different than the schema for the address data object since schemas are best organized 
when considering the nature of the underlying data type. 

[0045] Proceeding further down the type-specific data services 510 is a grocery 
list service 513 tiiat inaintains a grocery list data object 513A for storing a grocery 
5 list associated with identity A. In addition, an in-box service 5 14 maintains-an in-box 
data object 514A for received e-mails directed towards identity A, and an in-box data 
object 514B for received e-mails directed towards identity B. A music service 515 
maintains a music data object 515A that stores music preferences for identity A. 
Another address service 516 maintains an address data object 516B for identity B. A 
10 calendar service 517 stores a calendar data object 517B corresponding to the schedule 
of identity B. A docimient service 518 maintains a document data object 51 8B for 
storing various documents tiiat identity B is entitled to access. 

[0046] The type-specific data services 510 may also include many other types of 
type-specific data services as represented by the vertical ellipses in Figure 5. For 

15 example, the type-specific data services may include a data service that maintains 
settings for various applications that are used by an identity^ a data service that 
maintains a list of physical devices (and their capabilities) which associate with and 
interact with a given identity, a favorite Web site service that maintains a list of the 
identity's designated favorite Web sites, a location service that maintains a list of 

20 location-centric information about an identity, and the like. 

[0047] For clarity, only an example list of type-specific data services has been 
mentioned. It will be apparent, in light of this disclosure, that the variety of type- 
specific data services is essentially imlimited. Each of the type-specific services 
maintains identity-specific data objects that follow a schema according to the type of 

25 data. In addition, there may be a number of type-specific services that maintain data 
stmctures of a particular type. For example, while address service 511 maintains 
identity A's address information, address service 516 maintains identity B's address 
information. 

[0048] The type-specific data services 5 1 0 may be located anywhere in a network. 
30 However, in order to maximize availability, the type-specific data services 510 may 
be accessible via the Internet. Thus, the type-specific data services may be provided 
by a Web site and may be accessed via, for example, a World Wide Web address or 
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Other Unifonn Resource Identifier (URI). As used in this description or in the claims, 
a Uniform Resource Identifier or URI is defined as any local or network addressing or 
naming mechanism and is broad enough to encompasses Globally Unique IDs (or 
GUIDs), Internet Protocol (IP) addresses, or yet to be developed addressing or naming 
5 mechanisms. 

[0049] The number of type-specific data services 5 1 0 in the data services 33 1 may 
be quite large. In addition, the number of identities for which the data services 331 
maintams identity-centric data may also be quite large. Accordingly, to assist in 
locating a particular type-specific data service corresponding to a particular 
1 0 individual, the data services 33 1 includes a locator service 520. 

[0050] The locator service 520 organizes relevant lype-specific data service 
addresses on an identity-specific basis. For example, the locator service 520 also 
maintains a data object 520A that represents a list of addresses corresponding to the 
type-specific data services that maintain identity A's data. For example, data object 
15 520 mcludes the address service address 521, the contacts service address 522, the 
grocery list service address 523, the in-box service address 524, and the music service 
address 525. An arrow represents the logical addressing relationship where the 
address at the tail of the arrow is the address for the service at the head of the arrow. 
[0051] The locator service 520 organizes such data objects for other identities as 
20 well. For example, a data structure 520B includes relevant addresses for identity B 
such as the address service address 526, the calendar service address 527, another 
instance of the contacts service address 522', the document service address 528, and 
another instance of the in-box data service 524'. The addresses also point to the 
relevant type-specific data service. However, for clarity, the complete arrow is not 
25 shown for identity B. Instead, a corresponding letter A through E indicates the 
continuation of the arrow. 

[0052] The address locator service 520 may also be located in any network. 
However, to fecilitate availability yet again, the locator service 520 may be 
implemented on the Internet in the form of a Web site. In this case, the locator 
30 service 520 may be accessed via a World Wide Web address or other URI. 

[0053] The identity 310, the application 320, and the data services 331 interact 
such that the data access model of Figure 3 is emulated. This interaction is described 
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with frequent reference to both Figure 5 and Figure 6, which illustrates a flowchart of 
a method of performing operations on an identity's data in accordance with the 
present invention. 

[0054] Initially, the application 320 determines that data associated with the 
5 identity is to be operatedron-(act 601). In the normal course of operation, an 
application typically performs various operations on data. The scenarios in which 
data is operated upon and the types of operations performed depend heavily on the 
type of application. The principles of the present invention may be implemented with 
any application that needs to access data. 

10 [0055] Next, the method performs a step for formulating a request to operate on 
the data via a structured network message that identifies the identity (step 602). In 
one embodiment, this includes specific conesfKinding acts 603 and 604. More 
particularly, the application identifies a data structure that represents the data 
associated with the identity (act 603). For example, if the application 320 is to add a 

15 new contact to identity A's contact data structure 320A, the application will uniquely 
identify the data structure vising an identification of the identity (e.g., "identity A'') as 
well as an identification of the schema of the particular type-specific data object to be 
operated on (e.g., "contacts"). 

[0056] Next, the ^plication constructs a network message in accordance with a 
20 message format that is recognized by the service (act 604). The network message 
represents a request to perform the operation on the data structure and may be 
stractured as illustrated in Figure 8 for network message 800. The network message 
800 includes an identification of an identity 801 (e.g., ^'identity A*0- 
[0057] A type-specific data service may able to identify the iq>propriate data 
25 stmcture to operate on based on the identity alone. However, this may not always be 
the case. Accordingly, the network message 800 may also include an identification of 
the schema 802 associated with the data structure (e.g., "contacts'*). For example, the 
application 320 may query the address locator 520 for the address corresponding to 
identity A's contacts data object. In this case, the address locator 520 might need to 
30 know the schema of the service desired. Otherwise, the address locator 520 might not 
know whether to return the address for identity A's contacts service, or whether to 
return an address corresp>onding to some other type-specific data service associate 
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with identity A. On the other hand, if the network message is dispatched directly to 
the contact service associated with identity A, it may be implied that the requested 
operation is to be performed on a contacts data structure. In other words, the 
destination address of the network message may itself imply the schema. 
5 [0058] The network message 800 also includes a method field 803 wheaeby the 
requested operation type may be specified. For example, such operations might 
include add, delete, query, update or other operations that allow for reading fit>m and 
writing to the corresponding data object 

I0059J The network message 800 might also include a correlation data field 804. 
10 The correlation data pennits ^plications to recognize that a particular incoming 
message represoits a response to a particular outgoing request messt^e. Some 
protocols such as HypcrText Transport Protocol (HTTP) are a request/response 
protocol in which the correlation data is maintained by the transport protocol itself 
However, other protocols such as Simple Mail Transfer Protocol (SMTP) are not 
15 request/response oriented. 

[0060] In order to facilitate communication over a wide variety of protocols, the 
network message 800 may expressly state the correlation data 804. For example, the 
correlation data 804 may represent a message identification that uniquely identifies 
the message to the application 320. The network message 800 may also include other 
20 fields 805. More regarding how such a network message may be structured is 
described in the conunonly-owned, co-pending United States application serial 
number [Attorney Docket No: 13768.198.2], filed on the same data herewith, and 
entitled "Messaging Infiastructuie for Identity-Centric Data Access", which 
application is incorporated herein by reference in its enturety. 
25 [0061] In one embodiment, the network message is an XML document that is 
specifically structured in accordance with Simple Object Access Protocol or "SOAP". 
SOAP specifies a structure or "SOAP envelope" of an XML document including a 
body portion as well as a header portion, but also allows for great flexibility in the 
type of headers and the type of content included in the body. 
30 [0062] Returning to Figure 6, the application 320 then dispatches the network 
message to the service (act 605). This may include forming the network message as 
the body of a transport protocol message. For example, the network message may be 
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included in tiie body of an HTTP request, an SMTP message, or any other type of 
message transfer protocol or technique. The address of the service is specified in the 
transport level message for appropriate routing of the network message to the service. 
[0063] Referring to Figure S, the service that receives the message may be the 
5 locator service 520 or one of the type-specific data services 510. Regardless of the 
service that receives the network message (act 606), the service interprets the network 
message in light of the message format to thereby extract the various fields of the 
network message 800 (act 607). The service then performs the requested operation on 
the data structure using the data format (608). 

10 [0064] Returning back to Figure 5, if the application 320 already has the address 
of the desired type-specific data, the application 320 may use the method of Figure 6 
to immediately dispatch a network message to the corresponding type-specific data 
service without having to query the locator service 520 for the address. This direct 
access is represent by arrow 531 in Figure 5. For ^cample, the application 320 may 

15 have previously acquired that address fit>m the locator service 520, and stored the 
address locally. 

[0065] However, there may often be instances in which the application 320 is 
unaware of the address of the type-specific data service that the application 320 is to 
access. Accordingly, the application 320 may first query the locator service 520 for 

20 the address. The process of querying the locator service 520 is represented in Figure 
5 by bi-directional arrow 532 and by the flowchart of Figure 7. Specifically, the 
application constructs a network message in accordance with the message format 
recognized by the locator service (act 700). The message represents a query for the 
address using an identification of the identity. The network message is then 

25 dispatched (act 701) and received by the locator service (act 702). The locator service 
then finds the address based on the identification of the identity (act 703). The locator 
service then returns a network message that includes the address (act 704) whereupon 
the message is received by the application (act 705). 

[0066] If the schemas of the various type-specific data structures are recognized 
30 by a variety of applications, and if there is a wide variety of applications that may 
stmcture a network message in accordance with a message format recognized by the 
services, then the data need not be locally stored. Instead, any of a wide variety of 
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plications may, with suitable modification to implement the principles of the 
present invention, be used to access the data. Thus, the identity may voyage from one 
application to the next, from one device to the next, and access the same data without 
fear of needing to attend to data inconsistencies or otherwise ensure that copies of the 
5 data are locally stored on multiple devices. From the identity's perspective, the 
identity (or its authorized representative) has access to the identity-owned data or any 
o&er authorized data at any time, at any place, and from any device. 
[0067] Altiiou^ the identity has access to the identity's own data, if it suits the 
identity's desires, the identity may choose to authorize that other identities or 
10 plications perform certain operations on certain portions of the identity's data. In 
order to allow the identity to maintain control over the identity's own data, this 
au&orization may also be revoked as desired. In one embodiment, access privileges 
to a particular type-specific data structure for a given identity are maintained by the 
corresponding tyrpe-specific data service. In particular, the type-specific data structure 
15 has a "content" portion that represents the actual data, as well as an access control 
rules portion that defines which users have what rights to operate on what data. A 
particular example of access control rules used in this description is an Access 
Control List or ACL. Such access control rules may also be referred to as "role lists". 
However, it will be parent that the present invention is not limited to any particular 
20 type of access control rule. Hie network message may also include an identification 
of a requestor if other than the identity whose data is being operated upon. The type- 
specific service may then consult the access control rules to determine whether the 
request to operate on the data should be granted. 

[0068] Figure 10 sdiematically illustrates a structure of a service 1000 that may 
25 accomphsh this. Specifically, the service may include one or more logic modules 
1001, 1002, and 1003 that manage access to one or more memory components 1004 
and 1005. Memory 1005 is illustrated as storing content data 1006, ACL data 1007, 
and system data 1008. Each data structure may have content, an ACL, and system 
data. Thus, the network message may also include an identification of which portion 
30 (content, ACL, or system) the requestor desires to perform the operation upon. The 
identity may then request modifications to the ACL to ensure that other desired 
identities and applications are given at least limited access to the identity's data. 
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[0069] In this manner, convenient data sharing may be enabled. For example, the 
user may draft a document, store the document in the user's document service, and 
then share the document with a remotely located partner by submitting a command to 
appropriately alter the ACL of the corresponding document data structure. The 
5 remotely located partoCT-ma^y ihjen use a local-device to perform authorized operations 
on the document. 

[0070] In one example embodiment, all of the requests are filtered through a 
centralized station that consolidates and performs functions that are common to each 
of the services. Figure 12 illustrates a more specific diagram of the station 1200 and 

10 one of the services identified as service 1220. The station 1200 receives a request 
fit>m an application using a network protocol such as HyperText Transport Protocol 
(HTTP) represented by arrow 1201, or Direct Internet Message Encapsulation 
(DIME) rq)resented by arrow 1202. The station 1200 includes a message connector 
1203, which receives the request and passes the message up the protocol stack so that 

IS the request may be further processed. The request is then provided to an input thread 
pool 1204 for temporary storage. 

[0071] The request is then parsed at a message processor 1205, which parses the 
request into various components. For example, in one embodiment, the request is a 
Simple Object Access Protocol (SOAP) message in which case the message processor 

20 1205 parses using the appropriate SOAP protocol. The message processor 1205 may 
also perform some preliminary level of mle checking to make sure the request should 
be further processed. For example, if the request is to manipulate a data structure that 
none of the services manage, the message processor 1205 noay abstain from passing 
the reqiiest further down the process flow, and instead simply generate an error 

25 message using the response generation module 1212 to be returned via the message 
connector 1203. 

[0072] The request may then be filtered by a firewall 1206 and then logged using 
a logger 1207. A firewall may also reject a request and generate an error message 
using the response generation module 1212 that is returned as a response via the 
30 message connector 1203. A local log 1210 may receive and store event information 
received from the firewall 1206, as well as normal logging information received from 
the logger 1207 such as the following for each received request: time received. 
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method type, attribute types, and address of request. Then, an authorization module 
1208 determines if the request is authorized to perform the requested operation on the 
target data stracture. If authorization fails, then an error message is returned via the 
response generation module 1212 and the message connector 1203. Then 
5 authorization module 1208 may consult the ACL database 1227. 

[0073] In one example, the request is in the form of an SOAP envelope, which 
contains unencrypted header information, as well as an optional encrypted body 
portion. A decryption module 1209 decrypts the body of the request. Then, a 
signature checker 1211 checks any signatures associated with the request to guard 
10 against tampering. Any fidled decryption or signature checking may also be returned 
to the requestor in the form of an error message generated by the response generation 
module 1212. 

[0074] After signature checking, the station 1200 then passes information 
sufficient to accomplish the requested operation to the appropriate target service. 
15 This information includes a message that the request is authorized, the scope of access 
permissions, an identification of the requested method, and any needed request 
details. 

[0075] The information is then passed to the service dispatch module 1221 of the 
service 1220. The service logic 1222 then receives and processes the information. 
20 The service logic 1222 is enable of perform standard methods 1223 including insert, 
query, update, delete, and replace as well as possibly some service specific methods 
1224. 

[0076] In order to execute the requested operation, the service logic accesses a 
data store that store the data stmctures to be manipulated. In one raibodiment, the 
25 data structures to be operated upon are extensible Markup Language (XML) 
documents in which case the data store is an XML store 1225. The data structures to 
be accessed may be content documents 1226, ACL documents 1227 or system 
documents 1228. 

(0077] Once the requested operation is performed on the target data structure 
30 using the service logic 1222 interacting with the XML store 1225, response 
infomiation is provided to service completion module 1229. The response 
inforaiation is then passed to response generation module 1212 for generation of an 
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appropriate response. The response is then returned to the user via the message 
connector 1203. 

[0078] Having now described the principles of the present invention in detail, it is 
noted that the precise hardware configuration that implements the above-described 
5 features is not important to the present invention. For example, the locator ^service 
520 may be implemented by one computing device or device cluster. In addition, a 
computing device or device cluster may implement groups of one or more of the other 
identity-based services such as those illustrated in Figure 5. Also, the application 320 
may be implemented on any device. Indeed, one of the unique features of the present 

10 invention is its lack of dependence on the hardware operating enviromnent. 

[0079] Nevertheless, for the sake of completeness. Figure 11 illustrates an 
example computing system that may itself or in combination with other computing 
devices implement all or portions of the features described above. The example 
system includes a general purpose computing device in the form of a conventional 

15 computing device 1120, mcluding a processing unit 1121, a system memory 1122, 
and a system bus 1 123 that couples various system components including the system 
memory 1122 to the processing unit 1121. The system bus 1123 may be any of 
several types of bus structures including a memory bus or memory controller, a 
peripheral bus, and a local bus using any of a variety of bus architectures. The system 

20 memory includes read only memory (ROM) 1 124 and random access memory (RAM) 
1125. A basic input/output system (BIOS) 1126, containing the basic routines that 
help transfer information between elements within the computer 1 120, such as during 
start*up, may be stored in ROM 1 124. 

[0080] The computer 1 120 may also include a magnetic hard disk drive 1 127 for 
25 reading &om and writing to a magnetic hard disk 1 139, a magnetic disk drive 1 128 for 
reading from or writing to a removable magnetic disk 1 129, and an optical disk drive 
1 130 for reading from or writing to removable optical disk 1 131 such as a CD-ROM 
or other optical media. The magnetic hard disk drive 1 127, magnetic disk drive 1 128, 
and optical disk drive 1 130 are connected to the system bus 1 123 by a hard disk drive 
30 mterface 1132, a magnetic disk drive-interface 1133, and an optical drive interface 
1 134, respectively. The drives and their associated computer-readable media provide 
nonvolatile storage of computer-executable instructions, data structures, program 
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modules and other data for the computer 1 120. Although the exemplary environment 
described herein employs a magnetic hard disk 1 139, a removable magnetic disk 1 129 
and a removable optical disk 1131, other types of computer readable media for storing 
data can be used, including magnetic cassettes, flash memory cards, digital versatile 
5 disks, Bernoulli cartridges, RAMs, ROMs, and the like. 

[0081] Program code means comprising one or more program modules may be 
stored on the hard disk 1139, magnetic disk 1129, optical disk 1131, ROM 1124 or 
RAM 11 25, including an operating system 1135, one or more application programs 
1 136, other program modules 1 137, and program data 1 138. For example, application 
10 320 and the various data services may each be an plication program such as 
{plication programs 1 136. 

[0082] A usCT may enter commands and information into the computer 1120 
through keyboard 1140, pointing device 1142, or other mput devices (not shown), 
su<A as a microphone, joy stick, game pad, satellite dish, scanner, or tiie like. These 

15 and other input devices are often connected to the processing unit 1121 through a 
serial port interface 1146 coupled to system bus 1123. Alternatively, the input 
devices may be connected by other interfaces, such as a parallel port, a game port or a 
universal serial bus (IJSB). A monitor 1147 or another display device is also 
connected to system bus 1123 via an interfEu^e, such as video adapter 1148. In 

20 addition to the monitor, personal computers typically include other peripheral output 
devices (not shown), such as speakers and printers. 

[0083] The computer 1 1 20 may operate in a networked environment using logical 
connections to one or more remote computers, such as remote computers 1 149a and 
1 149b. Remote computers 1 149a and 1 149b may each be another personal computer, 

25 a SCTver, a router, a network PC, a peer device or other common network node, and 
typically include many or all of the elements described above relative to the computer 
1120, although only memory storage devices 1150a and 1150b and their associated 
application programs 1 136a and 1 136b have been illustrated in Figure 11. The logical 
connections depicted in Figure 11 include a local area network (LAN) 1151 and a 

30 wide area network (WAN) 1 1 52 tiiat are presented here by way of example and not 
limitation. Such networking environments are commonplace in ofl5ce-wide or 
entetprise-vsdde computer networks, intranets and the Internet These networics may 
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be the means whereby the network messages are communicated between the 
application 320 and the data services 33 1 . 

[0084] When used in a LAN networking environment, the computer 1120 is 
connected to the local network 1151 through a network interface or adapter 1153. 
5 When used in a WAN networking enviroimaent, the computer 1120 may include a 
modem 1154, a wireless link, or other means for establishing communications over 
the wide area network 1 152, such as the Internet. The modem 1 154, which may be 
internal or external, is connected to the system bus 1 123 via the serial port interface 
1146. In a networked envirorunent, program modules depicted relative to the 
10 computer 1120, or portions thereof, may be stored in the remote memory storage 
device. It will be appreciated that the network coimections shown are exemplary and 
other means of establishing communications over wide area network 1152 may be 
used. 

[0085] Accordingly, the principles of Ae present invention allow for the 
15 convenient organization of data on an identity-centric basis. The present invention 
may be embodied in other specific forms without departing from its spirit or essential 
characteristics. The described embodiments are to be considered in all respects only 
as illustrative and not restrictive. The scope of the invention is, iflierefore, indicated 
by the appended claims rather than by the foregoing description. All changes which 
20 come within the meaning and range of equivalency of the claims are to be embraced 
within their scope. 
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1. In a computer environment including a plurality of applications that 
operate on data related to an identity, the computer environment also including a 
service that maintains data associated with the identity, a method for one of the 
plurality of apphcations to operate on data related to the identity, the method 
5 comprising the following: 

an act of identifying a data structure that represents data that is to be operated 
on, the data being associated with the identity, the data structure being in accordance 
with a data format recognized by the service and the plurality of applications; 

an act of constmcting a network message in accordance with a message format 
10 that is recognized by the service, the network message representing a request to 
perform &e operation on the data structure, the network message identifying the data 
stmcture by identifying the idmtiQr; and 

an act of dispatching the network message to the service. 

2. A method in accordance with Claim 1, wherein the act of dispatching 
15 the network message to the service comprises dispatching the network message 

directly to the service without first communicating with a locator service. 

3. A method in accordance with Claim 1, wherein the data stmcture 
comprises a content data structure that represents the actual data of interest. 

4. A method in accordance with Claim 1, \^erein the data structure 
20 comprises an access control data stmcture. 

5. A method in accordance with Claim 1, wherein the data stmcture 
comprises a systems data stmcture. 

6. A method m accordance with Claim 1, wherein the data that is to be 
operated on is not directly accessed by the plurality of application, but is only directly 

25 accessed via the service. 

7. A method in accordance with Claim 1, further comprising: 

an act of the granting the application access to the data stmcture prior to the 
acts of identifying, constructing, and dispatching. 

8. A method in accordance with Claim 1 , further comprising: 

30 an act of revoking access from the application to the data stmcture after the 

acts of identifying, constmcting, and dispatching. 

9. A method in accordance with Claim 1, further comprising the 
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following: 

an act of determining an address of the service. 

10, A method in accordance with Claim 9, wherein the act of constructing 
a network message comprises the following: 

5 ^ . ^ - an act<)f including the address of Ae servi^ 

11. A method in accordance with Claim 9, wherein the network message is 
a jSrst network message, wherein the act of determining an address of the service 
comprises the following: 

an act of constmcting a second network message in accordance with the 
10 message format that is recognized by a locator service, the second network message 

representing a query for the address using the identification of the identity; 

an act of dispatching the second network message to the locator service; and 
an act of receiving a response from the locator service that includes the 

address. 

15 . 12. Amethodinaccordance with Claim 11, wherein the act of receiving a 

response from the locator service comprises tiie following: 

an act of icceiving a third network message from the locator service, the third 
network message being in accordance with the message format. 

13. A method in accordance with Claim 1, wherein the act of constructing 
20 a network message in accordance with a message format that is recognized by the 

service comprises the following: 

an act of constructing a network message in accordance with the Simple 
Object Access Protocol. 

14. A method in accordance with Claim 1, wherein the act of dispatching 
25 the network message to the service comprises the following: 

an act of dispatching the network request to a locator service that maintains a 
list of addresses for type-specific data services corresponding to the identity. 

15. A method in accordance with Claim 1, wherein the act of dispatching 
the network message to the service comprises the followdng: 

30 an act of dispatching the network request to a t5^e-specific data service that 

maintains a list of addresses for type-specific data services corresponding to the 
identity. 
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16. A method in accordance with Claim 1, wherein the act of dispatching 
the network message to the service comprises the following: 

an act of dispatching the network message to the service using a transport 
protocol that is compatible with transport over the Internet 

17. A method in accordance with Claim 1, wherein the act of dispatching 
the network message to the service comprises the following: 

an act of dispatching the network message to a different machine as compared 
to the machine that runs the application. 

18. A method in accordance with Claim 1, wherein the act of dispatching 
tiie network message to the service comprises the following: 

an act of dispatching the network message to a service that is run on the same 
machine as the application. 

19. A method in accordance with Claim 1, wherein the identity is an 
individual. 

20. A method in accordance with Claim 1, wherein the identity is a group 
of individuals. 

21. A method in accordance with Claim 1, v^erein the identity is an 
organization. 

22. In a computer environment including a plurality of applications that 
operate on data related to an identity, the computer environment also includmg a 
service that maintains data associated with the identity, a method for one of the 
plurality of applications to operate on data related to the identity, the method 
comprising the following: 

an act of determining that data associated with the identity is to be operated 

on; 

a step for formulating a request to operate on the data via a structured network 
message that identifies the identity; and 

an act of dispatching the network message to the service. 

23. A method in accordance with Claim 22, wherein the step for 
formulating a request comprises the following: 

an act of identifying a data structure that rqjresents the data associated with 
the identity, the data structure being in accordance with a data format xecognized by 
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the service and the plurality of applications; and 

an act of constructing a network message in accordance with a message 
format that is recognized by the service, the network message representing a request 
to perform the operation on the data structure, the network message identifying the 
5 data stmcture by identifying the identity. 

24. A computer program product for use in a computer environment 
including a plurality of applications that operate on data related to an identity, the 
computer environment also including a service that maintains data associated with the 
identity, the computer program product for implementing a method for one of the 

10 plurality of applications to operate on data related to the identity, the computer 
program product comprising one or more computer-readable media having stored 
thereon the following: 

computer-executable instructions for identifying a data structure that 
represents data that is to be operated on, the data being associated with the identity, 
IS the data structure being in accordance with a data format recognized by the service 
and the plurality of applications; 

computer-executable instructions for constmcting a netwoik message in 
accordance with a message format that is recognized by the service, the network 
message representing a request to perform the operation on the data structure, the 
20 network message identifying the data structure by identifying the identity; and 

computer-executable instructions for causing the network message to be 
dispatched to the service. 

25. A computer program product in accordance with Claim 24, wherein 
the one or more computer-readable media are physical storage media. 

25 26. A computer program product in accordance with Claim 24, wherein 

the one or more computer-readable media further have stored thereon the foUov^g: 

computer-executable instructions for constructing a second network message 
in accordance with the message format that is recognized by a locator service, the 
second network message representing a query for the address using the identification 
30 of the identity; 

computer-executable instmctions for causing the second network message to 
be dispatched to the locator service; and 
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computer-executable instructions for detecting the receipt of a response from 
the locator service that includes the address. 

27. In a computer environment including a plurality of applications that 
operate on data related to an identity, the computer environment also including a 

5 service that maintains data associated with the identity, a method for the service 
fsicilitating access of the plurality of applications to data related to the identity, the 
method comprising the followdng: 

an act of receiving a network message fit>m one of the plurality of 
applications, the network message structured in accordance with a message format 
10 that is recognized by the service, the network message representing a request to 
operate on a data stmcture associated with the identity, the data stmcture being 
stmctured in accordance with a data format recognized by the service and the 
plurality of applications; 

an act of interpreting the network message in light of the message format to 
15 thereby extract an identification of the identity and an identification of the data 
stmcture; and 

an act of performing the requested operation on the data structure using the 
data fonnat. 

28. A method in accordance with Claim 27, further comprising the 
20 following: 

prior to the act of performing the requested operation, an act of determining 
that the one of the pliu^lity of applications is authorized to perform the requested 
operation on the data structure. 

29. A method in accordance with Claim 28, wherein: 

25 the method further comprises an act of maintaining a list of access rights to the 

data stmcture; and 

the act of determining that the one of the plurality of applications is authorized 
to perfomi the requested operation on the data stmcture comprises an act of referring 
to the Ust of access rights. 
30 30. A method in accordance with Claim 29, wherein the act of maintaining 

a list of access rights to the data stmcture comprises an act of honoring requests 
issued by the identity to control access rights to the data stmcture. 
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31. A method in accordance with Claim 27, wherein the data structure 
represents addresses corresponding to a plurality of type-specific data services that 
Tnfljptain type-specific data structures related to the identity. 

32. A method in accordance with Claim 31, wherein network message is a 
5 first network message, wherein the act of performing the requested operation on the 

data structure comprises the following: 

an act of reading at least one address fi-om the data structure; 

an act of constructing a second network message that includes the at least one 
address read from the data structure; and 
10 an act of dispatching the second network message. 

33. A method in accordance with Claim 32, wherein the act of dispatching 
the second network message comprises an act of dispatching the second network 
message to the one of the plurality of application programs. 

34. A method in accordance with Claim 32, wherein the act of dispatching 
IS the second network message comprises an act of dispatching the second network 

message in accordance with the message format. 

35. A method in accordance with Claim 27, wherein the data structure 
represents personal address information corresponding to the identity. 

36. A method in accordance with Claim 27, wherein the data structure 
20 represents contacts information corresponding to the identity. 

37. A method in accordance with Claim 27, wherein the data structure 
represents grocery list information corresponding to the identity. 

38. A method in accordance with Claim 27, wherein the data structure 
represents in-box information corresponding to the identity. 

25 39. A method in accordance with Claim 27, wherein the data structure 

represents music service information corresponding to the identity. 

40. A method in accordance with Claim 27, wherein the data structure 
represents calendar information corresponding to the identity. 

41. A method in accordance v^th Claim 27, wherein the data structure 
30 represents documents that the identity is entitled to access. 

42. A method in accordance with Claim 27, wherein the data structure 
represents application setting information corresponding to the identity. 
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43. A method in accordance with Claim 27, wherein the data structure 
represents physical device information corresponding to the identity. 

44. A method in accordance with Claim 27, wherein the data structure 
represents favorite Web site information corresponding to tiie identity. 

5 45, A method in accordance with Claim 27, wherein the network message 

is a first network message, wherein the act of performing the requested operation on 
the data structure comprises the following: 

an act of reading at least one address from the data structure; 
an act of constructing a second network message that includes the at least one 
10 address read from the data structure; and 

an act of dispatching the second network message. 

46. A method in accordance with Claim 45, wherein the act of di^atching 
the second netwoxk message comprises an act of di^)atching the second network 
message to the one of the plurality of application programs. 

15 47. A method in accordance with Claim 45, wherein the act of dispatching 

the second network message comprises an act of dispatching the second network 
message in accordance with the message format. 

48. A computer-program product for use in a computer environment 
including a plurality of applications that operate on data related to an identity, the 

20 computer environment also including a service that maintains data associated with the 
identity, the computer program product for implementing a method for tiie service 
facilitating access of the plurality of applications to data related to the identity, the 
computer program product comprising one or more computer-readable media having 
stored thereon the following: 

25 computer-executable instructions for detecting the receipt of a network 

message from one of the plurality of applications, the network message stractured in 
accordance with a message format that is recognized by the service, the network 
message representing a request to operate on a data structure associated with the 
identity, the data stmcture being structured in accordance with a data format 

30 recognized by the service and the plurality of applications; 

computer-executable instructions for interpreting the network message in light 
of the message foraiat to thereby extract an identification of the identity and an 
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identification of the data structure; and 

computer-executable instructions for performing the requested operation on 
the data structure using the data format. 

49. A computer program product in accordance with Claim 48, wherein 
5 the one or more computer-readable media are physical storage media. 

50. A computer program product in accordance with Claim 48, wherein 
the one or more computer-readable media further comprise the following: 

computer-executable instructions for determining that the one of the plurality 
of applications is authorized to perform the requested operation on the data structure 
10 prior to the performing the requested operation. 

51. A computer program product in accordance with Claim 48, wherein 
the one or more computer-readable media further have stored thereon the following: 

computCT-executable instructions for maintaining a list of access rights to the 
data stmcture; and 

15 computer-executable instructions for referring to the list of access rights in 

order to determine that the one of the plurality of application is authorized to perform 
the requested operation on the data structure. 

52. A computer network that fecilitates access to identity-centric data, the 
computer network comprising the following: 

20 a plurality of applications that operate on data related to an identity, each of 

the plurality of applications configured to determine that data associated with the 
identity is to be operated on, identify a data structure that represents the data 
associated with the identity, construct a network message in accordance with a 
message structure recognized by the plurality of applications, the network message 

25 representing a request to perform the operation on the data structure, the network 
message identifying the data structure by identifying the identity, and configured to 
dispatch the network message to the service; and 

a plurality of services that maintain data associated with the identity, each of 
the plurality of applications configured to detect the receipt of the network message 

30 fi-om one of the plurality of applications, interpret the network message in light of the 
message format to thereby extract an identification of the identity and an 
identification of the data structure, and perform the requested operation on the data 
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Structure using the data format. 

53. A method for providing identity-centric data to one or 
more applications, the method including at least the following acts: 

storing identity-centric data relating to multiple identities in a data 
S store associated with a data service; 

receiving various requests from the applications for identity-centric data 
relating to at least some of the identities; and 

providing the requested data to the requesting applications in re^onse to their 
requests. 

0 54. A method for accessing identity-centric data via a data service which 

maintains identity-centric data relating to user identities, the method comprising: 

requesting identity-centric data relating to one or more of the user identities 
from the data service, and 

receiving the requested data from the data service. 
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